From 0055690e54a89e0baf2000320c7a36cf3e74a802 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Fri, 23 Mar 2018 15:40:35 +0900
Subject: [PATCH 1/3] =?UTF-8?q?alert.php=20=EC=BD=94=EB=93=9C=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/alert.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/bbs/alert.php b/bbs/alert.php
index dabe311f6..9d4475203 100644
--- a/bbs/alert.php
+++ b/bbs/alert.php
@@ -28,6 +28,7 @@ include_once(G5_PATH.'/head.sub.php');
 // 파일만 가능합니다.
 // 공백이 없어야 합니다.
 
+$msg = isset($msg) ? strip_tags($msg) : '';
 $msg2 = str_replace("\\n", "<br>", $msg);
 
 $url = clean_xss_tags($url);
@@ -36,7 +37,7 @@ if (!$url) $url = clean_xss_tags($_SERVER['HTTP_REFERER']);
 $url = preg_replace("/[\<\>\'\"\\\'\\\"\(\)]/", "", $url);
 
 // url 체크
-check_url_host($url);
+check_url_host($url, $msg);
 
 if($error) {
     $header2 = "다음 항목에 오류가 있습니다.";
@@ -46,7 +47,7 @@ if($error) {
 ?>
 
 <script>
-alert("<?php echo strip_tags($msg); ?>");
+alert("<?php echo $msg; ?>");
 //document.location.href = "<?php echo $url; ?>";
 <?php if ($url) { ?>
 document.location.replace("<?php echo str_replace('&amp;', '&', $url); ?>");

From 78a6943ed888523f10172db9e4e9f0fe9412ec85 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 26 Mar 2018 09:15:10 +0900
Subject: [PATCH 2/3] =?UTF-8?q?=ED=83=80=EB=8F=84=EB=A9=94=EC=9D=B8=20?=
 =?UTF-8?q?=EB=A6=AC=EB=8B=A4=EC=9D=B4=EB=A0=89=ED=8A=B8=20=EC=B2=B4?=
 =?UTF-8?q?=ED=81=AC=20=EC=98=A4=EB=A5=98=20=EC=BD=94=EB=93=9C=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 bbs/login_check.php    | 2 +-
 bbs/member_confirm.php | 2 +-
 lib/common.lib.php     | 6 +++---
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/bbs/login_check.php b/bbs/login_check.php
index a66ed1c44..fadee0bbc 100644
--- a/bbs/login_check.php
+++ b/bbs/login_check.php
@@ -67,7 +67,7 @@ if ($auto_login) {
 
 if ($url) {
     // url 체크
-    check_url_host($url);
+    check_url_host($url, '', G5_URL, true);
 
     $link = urldecode($url);
     // 2003-06-14 추가 (다른 변수들을 넘겨주기 위함)
diff --git a/bbs/member_confirm.php b/bbs/member_confirm.php
index e5abe169e..d3631e267 100644
--- a/bbs/member_confirm.php
+++ b/bbs/member_confirm.php
@@ -17,7 +17,7 @@ include_once('./_head.sub.php');
 $url = clean_xss_tags($_GET['url']);
 
 // url 체크
-check_url_host($url);
+check_url_host($url, '', G5_URL, true);
 
 $url = get_text($url);
 
diff --git a/lib/common.lib.php b/lib/common.lib.php
index 03473b27a..8bf11615f 100644
--- a/lib/common.lib.php
+++ b/lib/common.lib.php
@@ -3008,7 +3008,7 @@ function check_password($pass, $hash)
 }
 
 // 동일한 host url 인지
-function check_url_host($url, $msg='', $return_url=G5_URL)
+function check_url_host($url, $msg='', $return_url=G5_URL, $is_redirect=false)
 {
     if(!$msg)
         $msg = 'url에 타 도메인을 지정할 수 없습니다.';
@@ -3018,7 +3018,7 @@ function check_url_host($url, $msg='', $return_url=G5_URL)
     $is_host_check = false;
     
     // url을 urlencode 를 2번이상하면 parse_url 에서 scheme와 host 값을 가져올수 없는 취약점이 존재함
-    if ( !isset($p['host']) && urldecode($url) != $url ){
+    if ( $is_redirect && !isset($p['host']) && urldecode($url) != $url ){
         $i = 0;
         while($i <= 3){
             $url = urldecode($url);
@@ -3040,7 +3040,7 @@ function check_url_host($url, $msg='', $return_url=G5_URL)
 
     //php 5.6.29 이하 버전에서는 parse_url 버그가 존재함
     //php 7.0.1 ~ 7.0.5 버전에서는 parse_url 버그가 존재함
-    if ( (isset($p['host']) && $p['host']) ) {
+    if ( $is_redirect && (isset($p['host']) && $p['host']) ) {
         $bool_ch = false;
         foreach( array('user','host') as $key) {
             if ( isset( $p[ $key ] ) && strpbrk( $p[ $key ], ':/?#@' ) ) {

From 87fdbc788251142c00f9898072d01bad59957200 Mon Sep 17 00:00:00 2001
From: thisgun <thisgun@naver.com>
Date: Mon, 26 Mar 2018 09:39:47 +0900
Subject: [PATCH 3/3] =?UTF-8?q?5.2.9.8.4=20=EB=B2=84=EC=A0=84=20=EC=88=98?=
 =?UTF-8?q?=EC=A0=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 config.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config.php b/config.php
index 826b29242..fe5efba8d 100644
--- a/config.php
+++ b/config.php
@@ -5,7 +5,7 @@
 ********************/
 
 define('G5_VERSION', '그누보드5');
-define('G5_GNUBOARD_VER', '5.2.9.8.3');
+define('G5_GNUBOARD_VER', '5.2.9.8.4');
 
 // 이 상수가 정의되지 않으면 각각의 개별 페이지는 별도로 실행될 수 없음
 define('_GNUBOARD_', true);